I was working on an MVC 4.0 web application that contained some WebAPI controllers. The requirement was to secure the site using Windows Authentication. However, only the web pages required security but, the Api controllers did not. I changed the web.config and IIS 7.5 to provide Windows Authentication. I then added an authorize attribute to my MVC controllers like “[Authorize(Roles = “FooWebUsers”)]”. Since, the WebAPI controllers did not need security I added the [AllowAnonymous] attribute to those controllers.
I tested the site and discovered the MVC Controllers were properly secured, prompting a login – ok good. Hit one of the API routes in fiddler and got a NT challenge and response or prompt for Login. What’s going on here? I added [AllowAnonymous] to the API controllers – not working. After much digging around I found what I wanted by implementing a custom Authorization attribute. Here’s the steps I went through to implement this.
Continue reading “ASP.NET MVC 4.0 Custom Authorize Attribute”